EFW Support
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
Friday 01 November 2024, 01:18:59 pm
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Visit the Official Endian Reference Manual
HERE
14248
Posts in
4376
Topics by
6515
Members
Latest Member:
hulteends
Search:
Advanced search
EFW Support
Support
General Support
2.4 Intrusion Prevention service started, 'Allow with IPS' always set?
0 Members and 1 Guest are viewing this topic.
« previous
next »
Pages:
[
1
]
Author
Topic: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set? (Read 15212 times)
boblowski
Jr. Member
Offline
Posts: 3
2.4 Intrusion Prevention service started, 'Allow with IPS' always set?
«
on:
Sunday 08 August 2010, 06:21:36 am »
Hello all,
A Monowall/pfSense user here who just recently discovered EFW, so perhaps I misunderstand a thing or two and somebody can help me.
I have a fairly basic test setup with a 'red', 'green' and 'orange' net. Added 2 NAT rules to forward requests to internal HTTP/HTTPS servers and for the rest some basic rules for outgoing and interzone traffic. (This in VMware ESXi 4.1 with E1000 NIC's.) Everything seems to work well.
Now I wanted to add Snort/IPS _only_ for incoming NAT traffic, so I switched on the Intrusion Prevention service, downloaded IPS rules and changed the NAT rules from 'allow' to 'allow with IPS'. All other rules are still just 'allow' with IPS. All relevant IPS rules were changed from 'alert' to 'block'. (BTW, another question: It's not possible to block IP's instead of just the request?)
That works for incoming NAT traffic and rules get triggered. The problem however is that the IPS seems to monitor _all_ traffic, even outgoing traffic and interzone traffic. Snort blocks for example incoming responses to outgoing DNS queries and things like interzone non-SSL HTTP authentication requests.
I'm by no means a network specialist, so perhaps I just misunderstand something. Any help is appreciated!
Thanks, Bob
Logged
boblowski
Jr. Member
Offline
Posts: 3
Re: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set?
«
Reply #1 on:
Wednesday 11 August 2010, 07:00:33 pm »
Hello again,
I really hope somebody can point me in the right direction. After searching the forums I found that other people have the same problem, like:
<FORUM URL>/index.php?topic=1733.0
But no answers. Is this a know bug or limitation? Where can I find more information?
Since this severely limits the usability of EFW, I take it for most people it 'just works' and the problem must be at my side. Any hints perhaps?
Thanks, Bob
Logged
boblowski
Jr. Member
Offline
Posts: 3
Re: 2.4 Intrusion Prevention service started, 'Allow with IPS' always set?
«
Reply #2 on:
Tuesday 24 August 2010, 07:09:20 pm »
A small bump...
After trying for some time to get this to work, I'm about to give up on Endian Firewall. Snort is absolutely required for us, but EFW only seems to work correctly if IPS is switched off.
Is there anybody out here using EFW that is actually using the IPS/snort functionality? Before I spend any more time on this, it would really help me a lot to know if this is supposed to work or if this is a known limitation of EFW.
Thanks, Bob
Logged
Pages:
[
1
]
« previous
next »
Jump to:
Please select a destination:
-----------------------------
Announcements
-----------------------------
=> Project News
=> Latest News and Updates
-----------------------------
Support
-----------------------------
=> General Support
=> Installation Support
=> EFW SMTP, HTTP, SIP, FTP Proxy Support
=> VPN Support
=> Hardware Support
-----------------------------
Development
-----------------------------
=> EFW Wishlist
=> Contribute Your Customisations & Modifications
Page created in 0.031 seconds with 18 queries.
Powered by SMF 1.1 RC2
|
SMF © 2001-2005, Lewis Media
Design by
7dana.com
Author